Custom claims from refresh token?

[dminkovsky]

Custom claims are great, but you can only generate them based on the current user. Not the current refresh token, i.e. the user's current "session". I want to be able to generate claims based on the user's current session.

Example use-cases:

• The user belongs to multiple organizations. For each signed in session that the user has, they can pick which organization they are viewing.
• The user has multiple accounts. They want to specify the active account on a per-session basis.

I would be down to make the PR. My proposed solution is adding another env var, say, AUTH_JWT_CUSTOM_CLAIMS_REFRESH_TOKEN that makes the query:

{
  authRefreshToken(token: <refresh-token>){
    <fields>
  }
}

Any session-based claims would supplement user-based claims. No existing functionality would be modified.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dbarrosop]

Apologies this one fell through the cracks, is this something you still need?

[dminkovsky]

No worries! Nope, not right now. I can contribute this in the future if/when I need it, if it's a PR you'd be interested in.

[dbarrosop]

At this point mostly interested in discussing the use-case and the solution as something similar to this could be used to escalate privileges, main difference is that your solution may or may not require an extra authentication step while escalating may (an example of what I mean is github's setting page, when they asked you to re-enter the password to perform some change).

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.